FFT news digest January 1 2021

Brexit and data transfers

If you want to see what "taking back control" means in practice, then look no further than the provisions for data transfers under the EU-UK Trade and Cooperation Agreement. At first sight, the inclusion of a four-month transitional period (which can be extended to six months) for continued transfers of personal data from the EU to the UK will be a relief. Look closer and the constraints on British "sovereignty" are clear. The transitional period depends on the UK keeping its existing data protection legislation exactly as it is. Changes can be made only with the EU's agreement, otherwise the period ends automatically. The Trade and Cooperation deal makes no mention of the "adequacy" assessment being conducted by the European Commission. This is the process that determines whether personal data can be sent from the EU to a third country without the need for additional safeguards. As we've reported previously, UK surveillance laws could present an insurmountable obstacle to a positive decision.

Threats

Brexit: Many organisations are emailing customers about changes brought about by the UK's departure from the EU single market, but the moment is also being exploited by criminals. Watch out for fake messages, malicious links and attempts to steal credentials.

Gift cards: Criminals are using Amazon gift cards as a lure to try to install malicious software on target computers. Emails promise a $100 gift card which (implausibly) Amazon is supposed to have sent as a "Thank You". Clicking on the link downloads a malicious Word document that asks the user to 'Enable Content'. Doing so installs powerful software that can steal login details and record keystrokes among other bad things. Cybereason

Puppies: Scam websites offer pets for sale, most of them dogs. They're not sophisticated; one testimonial discusses how an Alsatian had "hatched". As always, when an offer looks too good to be true, most likely it is. Anomali

Macs: It's essential that Mac users aren't complacent about the threat from malicious software and ransomware, but compared to Windows the main issue continues to be programmes designed to earn money from fake adverts. Dark Reading

BEC: A reminder that Business Email Compromise is a significant threat for organisations of all sizes. If you haven't experienced it yet, chances are you will. In 2020, attacks nearly doubled according to research by Barracuda, and they're becoming ever more sophisticated. BEC depends on persuading an employee to transfer funds to an account controlled by attackers.

Passwords: Privacy International does a lot of great work (e.g. its revelations about the extent of data recorded by menstruation apps), but its latest advice "to frequently change passwords" is flawed both grammatically and practically. As the National Cyber Security Centre says, "regular password changing harms rather than improves security." Do change your password if you think someone else knows it (or if it's the same as any of your other ones). Otherwise, it's fine to leave it just as it is.

SolarWinds

Some positive developments as a result of the calamitous breach of SolarWinds infrastructure. Two free tools have been released to help administrators analyse what is going on in their Azure/Microsoft 365 environments. The US Cybersecurity and Infrastructure Security Agency's PowerShell-based utility is designed to detect anomalies and potentially malicious activities. Security company, Crowdstrike, also has a tool that analyses the privileges assigned to third-party resellers and partners. Less positive; Microsoft says some of its code repositories were accessed as a result of the breach.

Arrests

UK police have arrested twenty-one people who sold and purchased stolen credentials on WeLeakInfo, a website that sold leaked or breached information on a subscription basis. The site was seized at the beginning of 2020 when it was found to be storing more than 12 billion data records, including usernames and passwords for online accounts. 2020 saw a series of victories for law enforcement agencies in their Sisyphean struggle against cyber crime. While the threat of online crime continues to grow, so does the probability that those behind it will be caught.

In brief

Phishing fail: We have mixed feelings about using simulated phishing emails to test employees' security awareness. Many people loathe them and we're not convinced they're effective. But if you are going to use them, GoDaddy has provided an excellent example of what not to do. It has apologised for a test that promised its employees a non-existent Christmas bonus to help combat the effects of the pandemic. AFP

Facial recognised: A New Jersey man spent 10 days in jail after being accused of shoplifting and trying to hit a police officer with a car. It's the third known case in the US of a black man being wrongfully arrested on the basis of flawed facial recognition. In this case, not only did the victim look nothing like the perpetrator, he was also 30 miles away at time of the offence. New York Times ($)

Finnish parliament: Following similar attacks in Norway and Germany, Finland says attackers accessed the email accounts of multiple members of parliament.

Apple party app: Apple has withdrawn an iPhone app that encouraged users to organise underground parties despite social distancing measures and pandemic restrictions. Vybe Together urged users to ‘get your rebel on’. The Verge

Farewell Flash: And finally, a reminder that Adobe has stopped supporting its venerable Flash Player. If it's still on any of your devices, now is the time to delete it - and to ignore any siren calls to update it.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved